CVE-2020-8554 is a vulnerability that particularly affects multi-tenant Kubernetes clusters. If a potential attacker can create or edit services and pods, then they may be able to intercept traffic from other pods or nodes in the cluster. An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. In addition, an attacker that can patch the status of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

A few weeks ago a solution engineer discovered a critical flaw in Kubernetes architecture and design, and announced that a “security issue was discovered with Kubernetes affecting multi-tenant clusters. If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster.” If a hostile user can create a ClusterIP service and set the spec.externalIP field, they can intercept traffic to that IP.

Earlier this month the Kubernetes project discovered a security issue affecting multitenant clusters: If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster. An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP.

On Saturday, December 12, our CEO was advised by an executive at FireEye of a security vulnerability in our Orion Software Platform which was the result of a very sophisticated cyberattack on SolarWinds. We soon discovered that we had been the victim of a malicious cyberattack that impacted our Orion Platform products as well as our internal systems.

This blog post is a part of Mattermost’s public disclosure of three serious vulnerabilities in Go’s encoding/xml related to tokenization round-trips. The public disclosure comes as a result of several months of work, including collaborating with the Go security team since August 2020 and with affected downstream project maintainers since earlier this month.

The upstream Kubernetes community recently discovered a security issue—CVE-2020-8554— affecting multitenant clusters that allows anyone who is able to create a ClusterIP service and set the spec.externalIPs field to intercept traffic to that IP address. There is no patch for this issue yet, and it can currently only be mitigated by restricting access to the vulnerable features.

Vulnerability remediation is still an ongoing struggle for organizations. A simple mistake could cause no issues, or it could set off a wide-scale, devastating, corporate breach. Why is this? There are many reasons. Security and Ops talk past one another. No one wants to be the one that broke something. Speed is hindered by ineffective testing.

While auditing the Kubernetes source code, I recently discovered an issue (CVE-2020-8566) in Kubernetes that may cause sensitive data leakage. You would be affected by CVE-2020-8566 if you created a Kubernetes cluster using ceph cluster as storage class, with logging level set to four or above in kube-controller-manager. In that case, your ceph user credentials will be leaked in the cloud-controller-manager‘s log.

Threat actors can move pretty fast. There are untold numbers of adversaries operating in the shadows looking for the next vulnerability they can exploit. Sometimes they find a vulnerability that hasn’t been identified by white-hat researchers or the vendors—resulting in a zero-day exploit—but most often they watch for public disclosures and updates from vendors to identify changes that have occurred in code.